Privacy Policy

TL;DR - The Straight Truth

We built MCP Hubby to be a secure proxy for your AI assistant. Here's what that means for your privacy:

✓ What we collect:

  • Your email and name (for your account)
  • OAuth tokens (encrypted, stored by Nango) to access services you connect
  • Which services you've connected and when
  • Technical logs (API endpoint called, timestamp, response status) for 90 days

✗ What we DON'T collect or store:

  • Email content, attachments, or email metadata
  • Calendar events, attendee lists, or event details
  • Contact information (names, emails, phone numbers)
  • Google Drive files, file metadata, or folder structures
  • Any content from your connected services (Notion pages, Dropbox files, etc.)

✗ What we will NEVER do:

  • Sell, license, or monetize your data - ever
  • Train AI models on your data
  • Serve you ads or use your data for advertising
  • Build profiles or analyze your behavior
  • Let humans read your emails, calendar, or files (except for security/legal requirements)

→ Your control:

  • Disconnect any service instantly from your hub
  • Delete your entire account and all data anytime
  • When you disconnect, OAuth tokens are deleted immediately
  • Request your data or deletion: privacy@mcphubby.ai

How we work: When your AI asks for your Gmail, Calendar, Contacts, or Drive, we authenticate the request with your OAuth token, forward it to Google in real-time, and send the response back to your AI. Nothing is stored. We're just a secure pipe between your AI and your services.

Introduction

Welcome to MCP Hubby ("we", "our", or "us"). We're committed to protecting your privacy and being transparent about how we collect, use, and share your information. This Privacy Policy explains our practices regarding data we collect through our service.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Profile picture (optional)
  • Authentication credentials (managed securely by Clerk)

Service Connection Data

When you connect third-party services (Calendar, Notion, etc.):

  • OAuth tokens (encrypted and securely stored by Nango)
  • Service identifiers (e.g., which services you've connected)
  • Connection timestamps and status

Usage Data

We collect information about how you use our service:

  • API requests and responses (for service functionality)
  • Feature usage patterns
  • Error logs and diagnostic data
  • Browser type and operating system

How We Use Your Information

We use your information to:

  • Provide and maintain our service
  • Authenticate you and authorize service connections
  • Process API requests to connected services on your behalf
  • Send service-related notifications and updates
  • Improve our service and develop new features
  • Detect and prevent fraud and abuse
  • Comply with legal obligations

Data Security

We take security seriously:

  • Authentication: Managed by Clerk with industry-standard security
  • OAuth Tokens: Encrypted and stored securely by Nango
  • API Keys: Encrypted at rest, never exposed to clients
  • Transmission: All data transmitted over HTTPS
  • Access Control: Strict user isolation - you can only access your own data

Third-Party Services

We integrate with third-party services:

  • Clerk: Authentication and user management
  • Nango: OAuth token management and refresh
  • Connected Services: Calendar, Notion, Linear, etc. (as you choose to connect)

These services have their own privacy policies. When you connect a service, you're also agreeing to their terms and privacy practices.

Google Calendar Data Handling

When you connect Google Calendar to MCP Hubby, we act as a secure proxy for API requests:

  • No calendar storage: We do not store your calendar events, attendee information, event descriptions, or any calendar metadata on our servers
  • Real-time proxying: Google Calendar API requests from your AI assistant are forwarded in real-time using your OAuth token
  • Token storage only: We only store your encrypted OAuth access token (via Nango) to authenticate API requests
  • No logging of content: Calendar event data passing through our proxy is not logged or retained
  • Direct to Google: All calendar data flows directly between Google's servers and your AI assistant through our proxy

Why we need these permissions: We request the calendar scope (full calendar access) to enable comprehensive calendar management including viewing events, creating events, updating existing events, checking free/busy status, and managing multiple calendars. This full access scope is necessary to provide complete calendar functionality that your AI assistant needs to effectively manage your schedule.

You can revoke Google Calendar access at any time from your hub or directly through your Google Account settings. When you disconnect, we delete the OAuth token immediately.

Google Contacts Data Handling

Google Contacts functionality is bundled with Google Calendar. When you connect Google Calendar, you can also access contacts through the same connection. We act as a secure proxy for API requests:

  • No contact storage: We do not store your contact information, names, email addresses, phone numbers, or any contact metadata on our servers
  • Real-time proxying: Google People API (Contacts) requests from your AI assistant are forwarded in real-time using your OAuth token
  • Token storage only: We use the same encrypted OAuth access token (via Nango) as Google Calendar to authenticate API requests
  • No logging of content: Contact data passing through our proxy is not logged or retained
  • Direct to Google: All contact data flows directly between Google's servers and your AI assistant through our proxy

Why we need these permissions: We request the contacts.readonly scope (read contacts) to enable your AI assistant to search contacts, retrieve contact information, and help you find people's email addresses or phone numbers. Full contacts access allows creating and updating contacts on your behalf.

You can revoke Google Calendar/Contacts access at any time from your hub or directly through your Google Account settings. When you disconnect, we delete the OAuth token immediately.

Google Drive Data Handling

When you connect Google Drive to MCP Hubby, we act as a secure proxy for API requests:

  • No file storage: We do not store your file content, file metadata, folder structures, or any Drive data on our servers
  • Real-time proxying: Google Drive API requests from your AI assistant are forwarded in real-time using your OAuth token
  • Token storage only: We only store your encrypted OAuth access token (via Nango) to authenticate API requests
  • No logging of content: File content and metadata passing through our proxy is not logged or retained
  • Direct to Google: All Drive data flows directly between Google's servers and your AI assistant through our proxy

Why we need these permissions: We request the drive.readonly scope (read files), drive.file scope (manage files created by the app), and drive.appdata scope (app-specific data storage). This allows your AI assistant to search your files, download content for analysis, create folders, and share files on your behalf.

You can revoke Google Drive access at any time from your hub or directly through your Google Account settings. When you disconnect, we delete the OAuth token immediately.

Your Rights and Choices

You have the right to:

  • Access: Request a copy of your data
  • Correction: Update incorrect or incomplete data
  • Deletion: Request deletion of your account and data
  • Disconnect: Remove service connections at any time
  • Export: Download your connection settings
  • Opt-out: Unsubscribe from marketing emails

To exercise these rights, contact us at privacy@mcphubby.ai. We will respond to your request within 30 days.

Data Retention and Deletion

We retain your data:

  • Account Data: Until you delete your account
  • OAuth Tokens: Until you disconnect a service or delete your account
  • Usage Logs: For 90 days (for debugging and analytics). These logs contain only technical metadata (API endpoint called, timestamp, response status) and do not include email content, calendar event details, or other user data from connected services.
  • Legal Requirements: Longer if required by law

How to Request Data Deletion

To request deletion of your data:

  1. Email privacy@mcphubby.ai with your deletion request
  2. We will confirm your identity and process your request within 30 days
  3. All your account data, OAuth tokens, and connection settings will be permanently deleted
  4. Usage logs will be purged or anonymized within 90 days of deletion

You can also delete individual service connections at any time from your hub, which immediately revokes OAuth access and deletes the associated tokens.

International Users

Our service is hosted in the United States. If you're accessing from outside the US, your information will be transferred to, stored, and processed in the US where our servers are located.

Children's Privacy

Our service is not intended for children under 13. We don't knowingly collect information from children under 13. If we discover we've collected such information, we'll delete it promptly.

Google API Services User Data Policy

MCP Hubby's use and transfer of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure

Data accessed through MCP Hubby from Google APIs (Gmail, Google Calendar, Google Contacts, and Google Drive) is used exclusively to provide Model Context Protocol (MCP) functionality. This means:

  • Data is accessed only in real-time to fulfill specific user requests made through their AI assistant
  • Data flows directly between Google's servers and your AI assistant through our proxy
  • We process requests as they occur without storing the content of emails, calendar events, or Drive files

What We Do NOT Do with Google Data

We explicitly do not and will never:

  • Sell, license, or monetize your Google user data - Your Calendar and Drive data has no commercial value to us and is never sold or licensed
  • Store email content, calendar event details, contact information, or Drive file content - Only OAuth tokens are stored (encrypted by Nango)
  • Use data for advertising - We do not serve ads or use your data for advertising purposes
  • Build user profiles - We do not analyze your data to build profiles, perform analytics, or train AI models
  • Share data with third parties - Except for OAuth token management by Nango (our secure OAuth provider), no Google user data is shared with any third party
  • Allow human access to your data - We do not allow humans to read your Gmail, Calendar, Contacts, or Drive data except: (a) for security purposes, (b) to comply with applicable law, or (c) with your explicit permission
  • Transfer data between apps - Google data is not transferred to any other apps. It flows only between Google's servers and your AI client

How Google Data Flows Through MCP Hubby

When your AI assistant requests Gmail, Calendar, Contacts, or Drive data:

  1. Your AI assistant sends a request to MCP Hubby (e.g., "show my calendar for tomorrow" or "find my Q4 planning doc")
  2. MCP Hubby authenticates the request using your encrypted OAuth token
  3. The request is forwarded to Google's Gmail, Calendar, People (Contacts), or Drive API in real-time
  4. Google's API returns the data (e.g., search results)
  5. MCP Hubby immediately forwards the response to your AI assistant

At no point in this process is email content, calendar event data, contact information, file content, or user information stored on MCP Hubby servers. We function purely as a secure authentication proxy.

Changes to This Policy

We may update this Privacy Policy from time to time. We'll notify you of significant changes by:

  • Posting the new policy on this page
  • Updating the "Last updated" date
  • Sending an email notification (for major changes)

Contact Us

Questions about this Privacy Policy? Contact us:

Last updated: October 15, 2025